Home - Waterfall Grid T-Grid Console Builders Recent Builds Buildslaves Changesources - JSON API - About

Change #274409

Category wget
Changed by Acts1631 <acts1631kjvohnoyoudont@proton.me>
Changed at Thu 09 Jul 2026 19:47:42
Repository https://gitlab.com/gnuwget/wget.git
Project wget
Branch master
Revision 4f85853f641863d5915786a8413e1a213726a62b

Comments

ftp: validate PASV/LPSV response address against control connection peer
* src/ftp-basic.c (ftp_pasv): Reject if peer address doesn't match advertised
  address,
  (ftp_lpsv): Likewise.

ftp_pasv() and ftp_lpsv() copied the IP address and port advertised in
the server's 227 response without checking that it matched the peer
of the control connection.  A malicious or compromised FTP server
could therefore direct wget's data connection to an arbitrary host and
port of its choosing (e.g. an internal service unreachable from the
attacker directly), which is a server-side request forgery.

ftp_epsv() was already safe since it only extracts a port and reuses
the pre-filled control-connection address.

Fix ftp_pasv() and ftp_lpsv() the same way: capture the control
connection's peer address via socket_ip_address() before parsing the
response, and reject the response (FTPINVPASV) if the parsed address
does not match.

Verified with a fake FTP server that returns a PASV response pointing
at a different loopback address (127.0.0.2 instead of the real peer
127.0.0.1): before the fix wget connects to the spoofed address, after
the fix it rejects the response with "Cannot parse PASV response."
Legitimate transfers using a correctly-addressed PASV response
continue to work.

Copyright-paperwork-exempt: Yes

Changed files